5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2

Analysis

max time kernel
151s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
Size

4.0MB
MD5

4118f91d13a805a48ed5c5d03ff52054
SHA1

194ea8ee61af70fc98afece3f350e5440169f94c
SHA256

5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2
SHA512

8dcab827000a488caf2691e504426a562e5f2b5846a8d81371bae99caa9d24f5c101ecdace81bf514cc4e6587406c50b86d1aeda5f25b35912fff4a7a1b94f71
SSDEEP

49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	sysxbod.exe
1664	devdobec.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE0\\devdobec.exe"	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBER\\dobdevloc.exe"	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe
2060	sysxbod.exe
1664	devdobec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2060	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	28
PID 1928 wrote to memory of 2060	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	28
PID 1928 wrote to memory of 2060	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	28
PID 1928 wrote to memory of 2060	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	28
PID 1928 wrote to memory of 1664	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	29
PID 1928 wrote to memory of 1664	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	29
PID 1928 wrote to memory of 1664	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	29
PID 1928 wrote to memory of 1664	1928	5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe	29

C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
"C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\AdobeE0\devdobec.exe
  C:\AdobeE0\devdobec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\AdobeE0\devdobec.exe

Filesize
4.0MB

MD5
3e3bdefe2236fdd881549f350b257c4a

SHA1
c07b94e3def90879fd8a31b187079f19900b3518

SHA256
e31088fd5c3e897e7e9202321a21056740eae5126f074784091a154d12d34488

SHA512
536e326518a86501c9ae3ff312af3aaa6b83d5fcecc844e6cf3a199ac042222560deda52b4a967a3919bfbf9810dc802050b38bfd5ae60ebfeedbdd1bbd8fb2e

Download Submit
C:\KaVBER\dobdevloc.exe

Filesize
1.7MB

MD5
cdd97b53b5ff1c4c91ddadde33a72d19

SHA1
e874795b48a2225d7a2708576fd4d0606378c736

SHA256
438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde

SHA512
e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0

Download Submit
C:\KaVBER\dobdevloc.exe

Filesize
4.0MB

MD5
3f6afcb754d180f568da1ba75a833e86

SHA1
4d13e61820ae0694f25fc85fb9a77cf2e83a7f11

SHA256
47e8cf813c66d4f29105bcbfad5fe1173fda27b525d51b1179c6174b4f0d5149

SHA512
e5c2f2e024a424fd6c24f9dd64ada749a090df670d5b26a0c55ea041a9efa979710a013229b8941e2ec56d88662b09d0920e3516ffc86d6e2f49baa100a57f65

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
171B

MD5
32855409e02fe45e25e2db54268f2141

SHA1
b4583c99d59a6a4d1f38596a4f327f9d4a52f4a6

SHA256
af4bf2b8437287043cf6e9f57bf060ca247683751ae3fdb576422c6b437f8562

SHA512
9ecc4b3574b26bc2cbf8234ff2661389382960cf7e826f94e4cc2f0a1a64fb9d96d55acb62bd12ccb9ae3c8662c8f6029a437a1890ad9b62587a40854ab2465e

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
203B

MD5
15d5ccba2e83c78a824933bb4820efe8

SHA1
68cdbb253ba85648adabc96f78abf4ef3be1f317

SHA256
8eaa5f182388eee5f172d3270bda97f18d461412ff18636a1fcad9e416e634dd

SHA512
b8670b97e2c735744259c7e1eb4f78aae1d383b40dd95fc94978b3762a0b021e14ac822303f3f9243709a51b2770baf5a89aa5024ef5a1ba66cf72c3628c02bb

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe

Filesize
4.0MB

MD5
368ea07137f249ec021ecea4c4e4bfe6

SHA1
f9e71f5c8712e92147ac2cfc7c52fb1d7bda8276

SHA256
351509666e1191b371a239a07e71ea6e7cde6fbfe028b3a042ea593c6adbc769

SHA512
27dfe24c0b60aee3579ef2979a8360388d1e5e5014a5630834d8bd25958b6219b6323ce41a69dbb7ec167b6f6a63eeafe72292e479632adc517ca31759f39c1d

Download Submit